UNIT III

ACCESS CONTROL AND SECURITY

Network Access Control: Network Access Control, Extensible

Authentication Protocol, IEEE 802.1X Port-Based Network Access Control
- IP Security - Internet Key Exchange (IKE). Transport-Level Security: Web
Security Considerations, Secure Sockets Layer, Transport Layer Security,
HTTPS standard, Secure Shell (SSH) application.

Network Access Control:

 Network Access Control is a security solution that uses a set of protocols
to keep unauthorized users and devices out of a private network or give
restricted access to the devices which are compliant with network security
policies. It is also known as Network Admission Control.
 NAC works on wired and wireless networks by identifying different
devices that are connected to the network.
 For setting up an NAC network security solution, administrators will
determine the protocols that will decide how devices and users are
authorized for the right level of authorization.
 Access rules are generally based on the criterion such as device used, the
location accessed from, the access rights of various individuals, as well as
the specific data and resources being accessed.

Components of Network Access Control Scheme:

1. Restricted Access: It restricts access to the network by user authentication

and authorization control. For example, the user can’t access a protected
network resource without permission to access it.
2. Network Boundary Protection: It monitors and controls the connectivity
of networks with external networks. It includes tools such as controlled
interfaces, intrusion detection, and anti-virus tools. It is also called
perimeter defense.

Types of Network Access Control:

1. Pre-admission: It happens before access to the network is granted on

initialization of request by user or device to access the network. It evaluates
the access attempt and only allows the access if the user or device is
 compliant with organization security policies and authorized to access the
network.
2. Post-admission: It happens within the network when the user or device
attempts to access the different parts of the network. It restricts the lateral
movement of the device within the network by asking for re-authentication
for each request to access a different part of the network.

Steps to Implement NAC Solutions:

Implement NAC Solutions

1. Gather Data: Perform an exhaustive survey and collect information about

every device, user, and server that has to interface with the network
resources.
2. Manage Identities: Verify user identities within the organization by
authentication and authorization.
3. Determine Permissions: Create permission policies stating different
access levels for identified user groups.
4. Apply for Permissions: Apply permission policies on identified user
groups and register each user in the NAC system to trace their access level
and activity within the network.
5. Update: Monitor security operations and make adjustments to permission
policies based on changing requirements of the organization with time.

Importance of Network Access Control:

A NAC system can deny network access to non-compliant devices or give them
only restricted access to computing resources, thus preventing insecure nodes
from infecting the network. Also, NAC products can handle large enterprise
networks that have a large range of different device types connected to the
network.

Responsibilities:

1. It allows only compliant, authenticated devices to access network resources

and infrastructure.
2. It controls and monitors the activity of connected devices on the network.
3. It restricts the availability of network resources of private organizations to
devices that follow their security policy.
4. It regulates the access of network resources to the users.
5. It mitigates network threats by enforcing security policies that block,
isolate, and repair non-compliant machines without administrator
attention.

Common Use-Cases:

1. Organizations that allow employees to use their own devices or take

corporate devices home use NAC to ensure network security.
2. Organizations use NAC to grant access to different network resources to
people or devices that are outside of the organization and are subjected to
different security controls.
3. NAC protects from threats caused due to use of IoT devices by categorizing
IoT devices into groups that have limited permission and constantly
monitoring their activities.

Benefits:

1. Users can be required to authenticate via multi-factor authentication, which

is much more secure than identifying users based on IP addresses or
username and password combinations.
2. It provides additional levels of protection around individual parts of the
network.

Limitations:
 1. It has low visibility in IoT devices and devices with no specific users
associated with it.
2. It does not protect from threats present inside the network.
3. It may not work for organizations if it is not compatible with existing
security controls.

Principle Elements of NAC(Network Access Control):

There are mainly three principle elements of NAC which are:

1.Access Requestor(AR).

2.Policy Servers.

3.Network Access Servers(NAS).

Three Principle Elements of NAC(Network Access Control).

Let’s look at them one by one now:

1.Access Requestor(AR): We may determine from the name that it is someone

attempting to gain access by requesting it. This access can be granted to any
entity, such as a device, person, or process.
  This entity attempts to get access to network resources. It might be any
device handled by the NAC system, such as servers, cameras, printers, and
other IP-enabled devices.
 ARs are also known as supplicants or clients at times. ARs ensures that no
entity has illegal access to protected resources.
 To get access, these ARs must follow to the organization’s specific
guidelines or policies.

2.Policy Server:

 The policy server analyzes what access should be provided to AR based on

the AR’s identity, permission level, attempted request, and an
organization’s established access policy.
 The policy server frequently relies on backend services, such as antivirus,
patch management, or a user directory, to function.
 The policy server helps to determine the host’s state. An organization
creates different access policies to clearly authorize or reject such access

3.Network Access Server(NAS):

 Users connecting to an organization’s internal network from distant

locations utilize the NAS as an access control point.
 Remote employees can connect to the company’s internal network via
NAS, which serves as an access point for them.

Thus, these were the Three Principle Elements of NAC (Network Access control).

 Network access control (NAC) is an umbrella term for managing access

to a network.
 NAC authenticates users logging into the network and determines what
data they can access and actions they can perform.
 NAC also examines the health of the user’s computer or mobile device (the
endpoints).

Extensible Authentication Protocol:

 Extensible Authentication Protocol (EAP) is an authentication framework

that is more flexible, extensible, and scalable. It does not involve any
 authentication method, but it specifies a set of standard functions that
authentication methods can employ to authenticate users.
 EAP supports the IEEE 802.1x standard. If 802.1x is enabled on a device,
it restricts network access until the client authenticates. A wireless client
can still connect to an AP even without authenticating. Still, it cannot send
data to other parts of the network unless it authenticates successfully.
 The enterprise modes of WPA, WPA2, and WPA3 support numerous EAP
methods and are used to implement EAP-based authentication
with 802.1x. The EAP methods must be supported on the wireless client
devices and configured on the authentication server.
 The Wireless LAN Controller (WLC) acts as an EAP intermediary
between the clients and the authentication server. Cisco WLCs can use a
local EAP server on the WLC or an external RADIUS server on the wired
network.
 The Extensible Authentication Protocol (EAP) authentication framework
has various authentication methods available, and most of them are based
on Transport Layer Security (TLS). Which method to settle on depends on
the security requirements, and if the EAP method is supported by the
supplicants and the authentication server.

EAP Challenge-Based Authentication Method

Extensible Authentication Protocol-Message Digest 5 (EAP-MD5)

This method utilizes the MD5 message-digest algorithm to conceal the

credentials in a hash. The hash is transmitted to the authentication server, where
it is matched to a local hash to ensure that the credentials are accurate.

EAP TLS Authentication Method

Extensible Authentication Protocol-Transport Layer Security (EAP-TLS)

 The EAP-TLS Extensible Authentication Protocol method uses the TLS

Public Key Infrastructure (PKI) certificate authentication mechanism to
offer mutual authentication of the supplicant to the authentication server
and vice versa.
 EAP-TLS requires that both the supplicant and the authentication server be
issued a digital certificate signed by a certificate authority (CA) that they
both trust.
  Since the supplicant also needs a certificate for authentication, EAP-TLS
is considered the most secure authentication method. However, it is also
the most challenging method to implement because of the administrative
overhead of needing to install a certificate on the supplicant side.

EAP Tunneled TLS Authentication Methods

 EAP outer or tunneled TLS authentication methods, such as EAP-FAST,

EAP-TTLS, and PEAP, are used by EAP inner authentication methods to
tunnel within.
 Tunneled TLS authentication methods create a TLS outer tunnel between
the supplicant and the authentication server. After the encrypted tunnel is
established, the client authentication credentials are negotiated inside the
TLS outer tunnel using one of the EAP inner methods.
 This tunneling authentication method is quite similar to how an HTTPS
session between a web browser and a secure website is established.
 The HTTPS TLS tunnel is built once the web browser confirms the
legitimacy of the website’s certificate (one-way trust). Once the TLS
tunnel is established, the user may input login credentials on the website
through the secure TLS tunnel.

EAP Flexible Authentication via Secure Tunneling (EAP-FAST)

 Cisco Systems created EAP-FAST as an alternative to PEAP to enable

more rapid re-authentications and support for high-speed wireless
roaming. EAP-FAST, like PEAP, establishes a TLS outer tunnel and then
sends the client authentication credentials across that outer TLS tunnel.
 EAP-FAST can also re-authenticate quicker by employing a Protected
Access Credential (PAC). PAC is identical to a secure cookie stored locally
on the host as proof of successful authentication.

EAP Tunneled Transport Layer Security (EAP-TTLS)

 EAP-TTLS is functionally comparable to PEAP, but it is not as extensively

supported.
 PEAP supports EAP inner authentication methods, while EAP-TTLS can
support additional inner methods such as Challenge Handshake
Authentication Protocol (CHAP), legacy Password Authentication
 Protocol (PAP), and Microsoft Challenge Handshake Authentication
Protocol (MS-CHAP).

Protected Extensible Authentication Protocol (PEAP)

 In Protected EAP (PEAP), only the authentication server needs a

certificate. This lessens the administrative overhead of deploying EAP.
 PEAP will create an encrypted TLS tunnel between the supplicant and the
authentication server.
 After establishing the tunnel, PEAP utilizes one of the following EAP
authentication inner methods to authenticate the supplicant over the outer
PEAP TLS tunnel

EAP Generic Token Card (EAP-GTC) (PEAPv1)

 Cisco developed the EAP-GTC (PEAPv1) EAP inner method as an

alternate solution to MSCHAPv2.
 It aims to provide generic authentications to nearly any identity store,
including LDAP, NetIQ eDirectory, OTP token servers, and others.

IEEE 802.1X Port-Based Network Access Control:

 IEEE 802.1X Port-Based Network Access Control was designed to provide

access control functions for LANs.
 The terms supplicant, network access point, and authentication server
correspond to the EAP terms peer, authenticator, and authentication server,
respectively.

TERMINOLOGIES OF IEEE 802.1X:

Some of the terminologies used in IEEE 802.1X is listed below,
1. Authenticator: An entity at one end of a point-to-point LAN
segment that facilities authentication of the entity to the other end
of the link.
2. Authentication exchange: The two-party conversation between
systems performing an authentication process.
3. Authentication process: The cryptographic operations and
supporting data frames that perform the actual authentication.
4. Authentication server (AS): An entity that provides an
authentication service to an authenticator. This service
 determines, from the credentials provided by supplicant, whether
the supplicant is authorized to access the services provided by the
system in which the authenticator resides.
5. Authentication transport: The datagram session that actively
transfers the authentication exchange between two systems.
6. Bridge port: A port of an IEEE 802.1D or 802.1Q bridge.
7. Edge port: A bridge port attached to a LAN that has no other
bridges attached to it.
8. Network access port: A point of attachment of a system to a
LAN. It can be a physical port, such as a single LAN MAC
attached to a physical LAN segment, or a logical port, for
example, an IEEE 802.11 association between a station and an
access point.
9. Port access entity (PAE): The protocol entity associated with a
port. It can support the protocol functionality associated with the
authenticator, the supplicant, or both.
10.Supplicant: An entity at one end of a point-to-point LAN
segment that seeks to be authenticated by an authenticator
attached to the other end of that link.

IEEE 802.1X ACCESS CONTROL:

 Until the AS authenticates a supplicant (using an authentication protocol),

the authenticator only passes control and authentication messages between
the supplicant and the AS; the 802.1X control channel is unblocked, but
the 802.11 data channel is blocked.
 Once a supplicant is authenticated and keys are provided, the authenticator
can forward data from the supplicant, subject to predefined access control
limitations for the supplicant to the network.
 Under these circumstances, the data channel is unblocked. The essential
element defined in 802.1X is a protocol known as EAPOL (EAP over
LAN). EAPOL operates at the network layers and makes use of an IEEE
802 LAN, such as Ethernet or Wi-Fi, at the link level.
 EAPOL enables a supplicant to communicate with an authenticator and
supports the exchange of EAP packets for authentication. When the
supplicant first connects to the LAN, it does not know the MAC address of
the authenticator.
 Actually it doesn’t know whether there is an authenticator present at all.
By sending an EAPOL-Start packet to a special group-multicast address
reserved for IEEE 802.1X authenticators, a supplicant can determine
whether an authenticator is present and let it know that the supplicant is
ready.
 In many cases, the authenticator will already be notified that a new device
has connected from some hardware notification.
 For example, a hub knows that a cable is plugged in before the device sends
any data. In this case the authenticator may preempt the Start message with
its own message.
 In either case the authenticator sends an EAPRequest Identity message
encapsulated in an EAPOL-EAP packet.
 The EAPOLEAP is the EAPOL frame type used for transporting EAP
packets. The authenticator uses the EAP-Key packet to send cryptographic
keys to the supplicant once it has decided to admit it to the network.
 The EAP-Logoff packet type indicates that the supplicant wishes to be
disconnected from the network.
 The EAPOL packet format includes the following fields:
 Protocol version: version of EAPOL.
 Packet type: indicates start, EAP, key, logoff, etc.
 Packet body length: If the packet includes a body, this field
indicates the body length.
 Packet body: The payload for this EAPOL packet. An example
is an EAP packet.
IP SECURITY:

 IP Sec (Internet Protocol Security) is an Internet Engineering Task Force

(IETF) standard suite of protocols between two communication points
across the IP network that provide data authentication, integrity, and
confidentiality. It also defines the encrypted, decrypted, and authenticated
packets.
 The protocols needed for secure key exchange and key management are
defined in it.

Uses of IP Security

IPsec can be used to do the following things:

 To encrypt application layer data.

 To provide security for routers sending routing data across the public
internet.
 To provide authentication without encryption, like to authenticate that the
data originates from a known sender.
 To protect network data by setting up circuits using IPsec tunneling in
which all data being sent between the two endpoints is encrypted, as with
a Virtual Private Network(VPN) connection.

Components of IP Security

It has the following components:

1. Encapsulating Security Payload (ESP)

 2. Authentication Header (AH)
3. Internet Key Exchange (IKE)

1. Encapsulating Security Payload (ESP): It provides data integrity,

encryption, authentication, and anti-replay. It also provides authentication for
payload.

2. Authentication Header (AH): It also provides data integrity, authentication,

and anti-replay and it does not provide encryption. The anti-replay protection
protects against the unauthorized transmission of packets. It does not protect data
confidentiality.

IP Header

3. Internet Key Exchange (IKE): The Security Association (SA) establishes

shared security attributes between 2 network entities to support secure
communication. The Key Management Protocol (ISAKMP) and Internet Security
Association provides a framework for authentication and key exchange. ISAKMP
tells how the setup of the Security Associations (SAs) and how direct connections
between two hosts are using IPsec.
IP Security Architecture

IPSec (IP Security) architecture uses two protocols to secure the traffic or data
flow. These protocols are ESP (Encapsulation Security Payload) and AH
(Authentication Header). IPSec Architecture includes protocols, algorithms,
DOI, and Key Management. All these components are very important in order to
provide the three main services:

 Confidentiality
 Authenticity
 Integrity

Working on IP Security

 The host checks if the packet should be transmitted using IPsec or not. This
packet traffic triggers the security policy for itself. This is done when the
system sending the packet applies appropriate encryption. The incoming
 packets are also checked by the host that they are encrypted properly or
not.
 Then IKE Phase 1 starts in which the 2 hosts( using IPsec ) authenticate
themselves to each other to start a secure channel. It has 2 modes. The Main
mode provides greater security and the Aggressive mode which enables the
host to establish an IPsec circuit more quickly.
 The channel created in the last step is then used to securely negotiate the
way the IP circuit will encrypt data across the IP circuit.
 Now, the IKE Phase 2 is conducted over the secure channel in which the
two hosts negotiate the type of cryptographic algorithms to use on the
session and agree on secret keying material to be used with those
algorithms.
 Then the data is exchanged across the newly created IPsec encrypted
tunnel. These packets are encrypted and decrypted by the hosts using IPsec
SAs.
 When the communication between the hosts is completed or the session
times out then the IPsec tunnel is terminated by discarding the keys by both
hosts.

Features of IPSec

1. Authentication: IPSec provides authentication of IP packets using digital

signatures or shared secrets. This helps ensure that the packets are not
tampered with or forged.
2. Confidentiality: IPSec provides confidentiality by encrypting IP packets,
preventing eavesdropping on the network traffic.
3. Integrity: IPSec provides integrity by ensuring that IP packets have not
been modified or corrupted during transmission.
4. Key management: IPSec provides key management services, including
key exchange and key revocation, to ensure that cryptographic keys are
securely managed.
5. Tunneling: IPSec supports tunneling, allowing IP packets to be
encapsulated within another protocol, such as GRE (Generic Routing
Encapsulation) or L2TP (Layer 2 Tunneling Protocol).
6. Flexibility: IPSec can be configured to provide security for a wide range
of network topologies, including point-to-point, site-to-site, and remote
access connections.
 7. Interoperability: IPSec is an open standard protocol, which means that it
is supported by a wide range of vendors and can be used in heterogeneous
environments.

Advantages of IPSec

1. Strong security: IPSec provides strong cryptographic security services

that help protect sensitive data and ensure network privacy and integrity.
2. Wide compatibility: IPSec is an open standard protocol that is widely
supported by vendors and can be used in heterogeneous environments.
3. Flexibility: IPSec can be configured to provide security for a wide range
of network topologies, including point-to-point, site-to-site, and remote
access connections.
4. Scalability: IPSec can be used to secure large-scale networks and can be
scaled up or down as needed.
5. Improved network performance: IPSec can help improve network
performance by reducing network congestion and improving network
efficiency.

Disadvantages of IPSec

1. Configuration complexity: IPSec can be complex to configure and

requires specialized knowledge and skills.
2. Compatibility issues: IPSec can have compatibility issues with some
network devices and applications, which can lead to interoperability
problems.
3. Performance impact: IPSec can impact network performance due to the
overhead of encryption and decryption of IP packets.
4. Key management: IPSec requires effective key management to ensure the
security of the cryptographic keys used for encryption and authentication.
5. Limited protection: IPSec only provides protection for IP traffic, and
other protocols such as ICMP, DNS, and routing protocols may still be
vulnerable to attacks.

Internet Key Exchange (IKE):

Network Security refers to the measures taken by any enterprise or organization

to secure its computer network and data using both hardware and software
systems. Internet Key Exchange(IKE) is a key management protocol used to
secure communication and key exchange between two devices over any network.
Key exchange is done in two ways:

Manual Key Exchange

In Manual Key Exchange, the system administrator manually configures each

system with their keys. This method is suitable for small and static systems.

Automated Key Exchange

The keys will be created or generated based on the demand or requirement. This
method is suitable for large and distributed systems. Automated Key Exchange
has two main methods:

 Oakley Key Determination Protocol: Oakley key determination protocol

is based on the Diffie-Hellman key exchange protocol with some added
security. It is a generic protocol.
 ISAKMP(Internet Security Association and Key Management
Protocol): It provides a framework for key exchange and specific support
i.e the protocol can be either Authentication Header or Encapsulation
Security Protocol.
 SKEME Protocol: It is a key exchange technique that provides
anonymity, non-repudiation, and refreshment.

Phases of Internet Key Exchange(IKE)

IKE can be done in two phases:

IKE Phase-1

There will be two devices i.e. sender and receiver. Initially, the sender will
exchange the proposals for security services like encryption algorithms.
authentication algorithm, hash function, etc. The sender and receiver will form a
security association which is a collection of parameters that the two devices use.
Here, the ISAKMP session is established and called the ISAKMP tunnel or
Internet Key Exchange(IKE) Phase-1 tunnel which is bi-directional. When both
ends of the tunnel agree to accept a set of security parameters, Phase-1 is done.

Modes in Phase-1: In Phase-1, we have two modes:

  Main mode: The main mode of phase-1 uses six messages to secure the
key exchange and the Main mode is the more secure. It allows hiding the
end-point identifiers and the ability to select the crypto algorithms. In the
six messages: The first two messages negotiate the policy and the next two
messages depict the Diffie-hellman public values necessary for key
exchange and the next two messages are used to authenticate the Diffie-
hellman exchange.
 Aggressive mode: The Aggressive mode of phase-1 uses three messages
and it is less secure than the Main mode. It doesn’t allow hiding the
endpoints.

IKE Phase-2

There will be two devices i.e. sender and receiver. Once the sender and receiver
established the ISAKMP tunnel in phase-1 they move to phase-2. phase-2 always
operates in Quick mode. Here the security associations and services between the
two devices are negotiated. The devices will choose which
protocol(Authentication Header or Encapsulation Security Protocol) and which
algorithm to use.
Transport Level Security (Tls):
Web Security Considerations:
 The World Wide Web is fundamentally a client/server application
running over the Internet and TCP/IP intranets.
 The following characteristics of Web usage suggest the need for tailored
security tools:
 Web browsers are very easy to use, Web servers are relatively
easy to configure and manage, and Web content is increasingly
easy to develop, the underlying software is extraordinarily
complex.
 A Web server can be exploited as a launching pad into the
corporation’s or agency’s entire computer complex.
 Casual and untrained (in security matters) users are common
clients for Web based services.

Web Security Threats:

Two types of attacks are:
1. Passive attacks include eavesdropping on network traffic
between browser and server and gaining access to information on
a Web site that is supposed to be restricted.
2. Active attacks include impersonating another user, altering
messages in transit between client and server, and altering
information on a Web site.
Secure Socket Layer (SSL):

provides security to the data that is transferred between web browser and server.
SSL encrypts the link between a web server and a browser which ensures that all
data passed between them remain private and free from attack.

Secure Socket Layer Protocols:

 SSL record protocol

 Handshake protocol

 Change-cipher spec protocol

 Alert protocol

SSL Protocol Stack:

SSL Record Protocol:

SSL Record provides two services to SSL connection.

 Confidentiality

 Message Integrity

In the SSL Record Protocol application data is divided into fragments. The
fragment is compressed and then encrypted MAC (Message Authentication
Code) generated by algorithms like SHA (Secure Hash Protocol) and MD5
(Message Digest) is appended. After that encryption of the data is done and in
last SSL header is appended to the data.
Handshake Protocol:

Handshake Protocol is used to establish sessions. This protocol allows the client
and server to authenticate each other by sending a series of messages to each
other. Handshake protocol uses four phases to complete its cycle.

 Phase-1: In Phase-1 both Client and Server send hello-packets to each

other. In this IP session, cipher suite and protocol version are exchanged
for security purposes.

 Phase-2: Server sends his certificate and Server-key-exchange. The server

end phase-2 by sending the Server-hello-end packet.

 Phase-3: In this phase, Client replies to the server by sending his certificate
and Client-exchange-key.

 Phase-4: In Phase-4 Change-cipher suite occurs and after this the

Handshake Protocol ends.
SSL Handshake Protocol Phases diagrammatic representation

Change-cipher Protocol:

 This protocol uses the SSL record protocol. Unless Handshake Protocol is
completed, the SSL record Output will be in a pending state.
 After the handshake protocol, the Pending state is converted into the
current state.
 Change-cipher protocol consists of a single message which is 1 byte in
length and can have only one value.
 This protocol’s purpose is to cause the pending state to be copied into the
current state.
Alert Protocol:

This protocol is used to convey SSL-related alerts to the peer entity. Each
message in this protocol contains 2 bytes.

The level is further classified into two parts:

Warning (level = 1):

This Alert has no impact on the connection between sender and receiver. Some
of them are:

Bad certificate: When the received certificate is corrupt.

No certificate: When an appropriate certificate is not available.
Certificate expired: When a certificate has expired.
Certificate unknown: When some other unspecified issue arose in processing
the certificate, rendering it unacceptable.
Close notify: It notifies that the sender will no longer send any messages in the
connection.

Unsupported certificate: The type of certificate received is not supported.

Certificate revoked: The certificate received is in revocation list.

Fatal Error (level = 2):

This Alert breaks the connection between sender and receiver. The connection
will be stopped, cannot be resumed but can be restarted. Some of them are :

Handshake failure: When the sender is unable to negotiate an acceptable set of

security parameters given the options available.
Decompression failure: When the decompression function receives improper
input.
Illegal parameters: When a field is out of range or inconsistent with other fields.
Bad record MAC: When an incorrect MAC was received.
Unexpected message: When an inappropriate message is received.

The second byte in the Alert protocol describes the error.

Salient Features of Secure Socket Layer:

 The advantage of this approach is that the service can be tailored to the
specific needs of the given application.

 Secure Socket Layer was originated by Netscape.

 SSL is designed to make use of TCP to provide reliable end-to-end secure

service.

 This is a two-layered protocol.

Versions of SSL:

SSL 1 – Never released due to high insecurity.

SSL 2 – Released in 1995.
SSL 3 – Released in 1996.
TLS 1.0 – Released in 1999.
TLS 1.1 – Released in 2006.
TLS 1.2 – Released in 2008.
TLS 1.3 – Released in 2018.

SSL (Secure Sockets Layer) certificate is a digital certificate used to secure and
verify the identity of a website or an online service. The certificate is issued by a
trusted third-party called a Certificate Authority (CA), who verifies the identity
of the website or service before issuing the certificate.
The SSL certificate has several important characteristics that make it a reliable
solution for securing online transactions:

1. Encryption: The SSL certificate uses encryption algorithms to secure the

communication between the website or service and its users. This ensures
that the sensitive information, such as login credentials and credit card
information, is protected from being intercepted and read by unauthorized
parties.

2. Authentication: The SSL certificate verifies the identity of the website or

service, ensuring that users are communicating with the intended party and
not with an impostor. This provides assurance to users that their
information is being transmitted to a trusted entity.

3. Integrity: The SSL certificate uses message authentication codes (MACs)

to detect any tampering with the data during transmission. This ensures that
the data being transmitted is not modified in any way, preserving its
integrity.

4. Non-repudiation: SSL certificates provide non-repudiation of data,

meaning that the recipient of the data cannot deny having received it. This
is important in situations where the authenticity of the information needs
to be established, such as in e-commerce transactions.

5. Public-key cryptography: SSL certificates use public-key cryptography

for secure key exchange between the client and server. This allows the
client and server to securely exchange encryption keys, ensuring that the
encrypted information can only be decrypted by the intended recipient.

6. Session management: SSL certificates allow for the management of

secure sessions, allowing for the resumption of secure sessions after
interruption. This helps to reduce the overhead of establishing a new secure
connection each time a user accesses a website or service.

7. Certificates issued by trusted CAs: SSL certificates are issued by trusted

CAs, who are responsible for verifying the identity of the website or service
before issuing the certificate. This provides a high level of trust and
assurance to users that the website or service they are communicating with
is authentic and trustworthy.
Transport Layer Security:

Transport Layer Security (TLS) is a cryptographic protocol designed to provide

secure communication over a computer network. It ensures the privacy and
integrity of data exchanged between two systems, such as a web browser and a
web server. TLS evolved from its predecessor, Secure Sockets Layer (SSL), and
has become the standard protocol for securing internet communication.

Here are some key aspects of Transport Layer Security:

1. Encryption: TLS uses encryption algorithms to scramble the data being

transmitted, making it unreadable to anyone intercepting the
communication. This ensures the confidentiality of sensitive information.
2. Data Integrity: TLS employs hash functions and digital signatures to
verify the integrity of the data. This ensures that the information has not
been tampered with during transmission.
3. Authentication: TLS supports various methods of authenticating the
parties involved in a communication. This helps in confirming the identity
of the server to the client and, optionally, the client to the server.
4. Key Exchange: TLS facilitates the exchange of cryptographic keys
between the communicating parties. This process is crucial for establishing
a secure communication channel.
5. Versions: TLS has gone through several versions, with each version
addressing vulnerabilities and introducing improvements. Common
versions include TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3, and each version has
its own set of security features and improvements.
6. Handshake Protocol: TLS begins with a handshake between the client
and server to negotiate the parameters of the secure connection. This
includes agreeing on encryption algorithms, exchanging cryptographic
keys, and confirming authentication.
7. Usage: TLS is commonly used to secure various applications and
protocols, including HTTPS for secure web browsing, email
communication (SMTP, IMAP, and POP3), virtual private networks
(VPNs), and more.
8. Forward Secrecy: TLS supports forward secrecy, which means that even
if an attacker were to obtain the encryption keys at a later time, they would
not be able to decrypt past communications.
Secure Shell (SSH):

Secure Shell (SSH) is a cryptographic network protocol used for secure

communication over an unsecured network. The primary purpose of SSH is to
provide a secure way to access and manage network devices, servers, and other
systems remotely. It encrypts the communication between the client and the
server, preventing eavesdropping, tampering, and other security threats. Here are
key aspects of SSH:

1. Encryption: SSH encrypts the data exchanged between the client and
server, ensuring that even if someone intercepts the communication, they
cannot decipher the content.
2. Authentication: SSH provides various methods of user authentication,
including password-based authentication, public key authentication, and
more. Public key authentication is often preferred for its security benefits.
3. Secure Remote Access: One of the primary use cases for SSH is secure
remote access to servers or network devices. Users can log in to a remote
system and execute commands as if they were physically present at the
machine.
4. Secure File Transfer: SSH includes secure file transfer capabilities,
allowing users to transfer files securely between the client and the server
using tools like SCP (Secure Copy Protocol) or SFTP (SSH File Transfer
Protocol).
5. Tunneling: SSH supports tunneling, which allows the creation of
encrypted channels for forwarding other network services. This can be
used to secure various applications, such as database connections or web
browsing.
6. Port Forwarding: SSH can forward traffic from one port on a local
machine to another port on a remote machine, creating a secure
communication channel even for services that might not inherently support
encryption.
7. Key Management: SSH utilizes key pairs for authentication. Users can
generate public and private key pairs, with the public key stored on the
server and the private key securely held by the user. This enhances security
and eliminates the need for password-based logins.